Microsoft Workloads on AWS

Streamline Identity Management with AWS Directory Service and One Identity Active Roles

In this blog post we will explore several scenarios where combining AWS Managed Microsoft AD and Active Roles can streamline and accelerate your AWS workload implementations.

Many organizations rely on Microsoft Active Directory (AD) to manage identities and access controls, and extending AD infrastructure to the cloud is a common goal. This need often arises in scenarios such as mergers, acquisitions, divestitures, workload modernization, and hybrid operations that involve both on-premises and cloud-managed workloads. For example, industries like mining and oil drilling may require on-premises AD for local operations while leveraging cloud-native solutions for burst compute capacity.

To address these needs, customers typically adopt one of two approaches: deploying additional domain controllers on Amazon Elastic Compute Cloud (Amazon EC2) instances and treating AWS regions as additional sites within their self-managed AD or modernizing by using AWS Directory Service for Microsoft Active Directory (AWS Managed Microsoft AD), to offload the management of domain controllers. Both methods, however, can leave some complexities unaddressed, requiring additional solutions.

In 2023, AWS Managed Microsoft AD added support for One Identity Active Roles to tackle these complexities more effectively. This integration allows for the synchronization of identities across various sources, such as self-managed Active Directory, Human Resources systems, and modern identity providers. Active Roles enhances identity management by adding auditing, governance controls, automated provisioning, and approval workflows. It also enables the consolidation of multiple AD domains into a single AWS Managed Microsoft AD without the need for trusts, simplifying workforce identity integration with AWS services like Amazon Workspaces, Amazon Relational Database Service (Amazon RDS), and Amazon QuickSight. Furthermore, Active Roles provides a centralized console to monitor and manage identities across integrated apps and providers, with comprehensive change logging. With this integration you could manage privilege delegation for all your teams no matter which domain they happen to reside in.

Active Directory identity aggregation and migration

If you are planning to deploy your Active Directory dependent workloads on AWS using native services such as, Amazon RDS or Amazon Aurora, you can leverage AWS Managed Microsoft AD for authentication. While there are additional solution options available, we will explain how the integration with Active Roles can streamline identity management by synchronizing existing users, their passwords, and group memberships. With this method, multiple Active Directory forests/domains can have their users and groups merged into AWS Managed Microsoft AD. This solution simplifies the complex process of traditional AD migrations requiring trusts between domains with unique names. Figure 1 shows how you can implement Active Roles in a shared account to replicate identities from multiple directories into a single AWS Managed Microsoft AD instance.

Architectural diagram showing the Active Roles application synchronizing from three self-managed Active Directory domains to a single Active Directory domain hosted on AWS Managed Microsoft AD

Figure 1: Active Roles replicating selected users and groups information from multiple self-managed ADs to a single AWS Managed Microsoft AD

A major challenge with a traditional AD migration approach, when using a tool such as the Active Directory Migration Tool (ADMT), is the AD trust requirement. Active Directory trusts can only be established between domains with direct network connectivity and unique domain and NETBIOS names. The ADMT tool, initially developed to support Windows 2000/2003-era systems, has several known limitations and is in limited support by Microsoft. With Active Roles, the domain names can overlap and the requirement for network connectivity between domain controllers is no longer necessary. The Active Roles Server independently connects to the different domains, synchronizing objects and attributes between the environments. This simplifies and secures the synchronization process and leading to less user confusion, as the domain from the user’s perspective is the same.

There are several other business use cases which can be solved by this same AWS Managed AD & Active Roles strategy.

Leveraging Active Roles for seamless synchronization of users and groups from your self-managed AD to AWS Managed Microsoft AD enables you to migrate off the self-managed AD. This reduces the overhead of managing the AD domain controller infrastructure and allows you to benefit from seamless integration with AWS Managed AD with cloud workflows such as Amazon RDS, Amazon WorkSpaces, and Amazon QuickSight.

Active Roles allows synchronization of users and groups with or without the same domain name, which is specifically useful for divesture use cases, where you may want to separate out a sub-section of the organization to a new domain.

Synchronizing users and groups from high-security Active Directory environments to AWS Managed Microsoft AD, where any trusts are not allowed, can be achieved through Active Roles without needing connectivity or trust between the AWS Managed AD domain and the on-premises domain. By centralizing user account management and automating workflows, Active Roles enhances security while simplifying the administration of high-security on-premises and AWS Managed Microsoft AD environments. This solution ensures secure synchronization of users, groups, passwords, and attributes, maintaining strict access controls and reducing potential security risks.

Non-production environment synchronization

You may have workloads that are required to be disconnected from the production environment. This is often the case with sandbox, development, and QA infrastructure. To provide authentication services to these isolated environments, you either need to permit access to the production directory or deploy new forests and domains that must be managed independently. In this case you’re faced with making a choice between security and operational efficiency.

With AWS Managed Microsoft AD, you can quickly and easily deploy new Active Directory domains in minutes. When you leverage AWS Managed AD, you remove the burden of operating and maintaining additional non-production environments. AWS handles the tasks of monitoring, patching, and infrastructure management so you can focus on the things which matter to your business, like testing changes to your software solutions before moving to production. AWS Managed AD solves the AD infrastructure problem, but you are still faced with the operational overhead of maintaining duplicate account and groups in the various environments.

To solve this need and fully automate authentication services in your non-production environments, you need a user lifecycle management and synchronization solution. With the addition of a directory synchronization solution, such as Active Roles, you can automatically synchronize users, groups, passwords, and attributes for only the objects that need to be accessible by those specific isolated environments. All of this is possible without the need to set up trusts or direct network connectivity between the domain controllers. Figure 2 shows how you could implement Active Roles in a shared account to replicate identities from a production Active Directory instance to multiple isolated directories on AWS.

Architectural diagram showing the Active Roles application synchronizing from a single Active Directory domain hosted on AWS Managed Microsoft AD to three isolated Managed AD instance environments.

Figure 2: Active Roles replicating selected user and group information from the production directory to 3 isolated AWS Managed Microsoft ADs.

There are many other similar use cases that can be solved for by using this method. For example, you could use this same method to populate AWS Managed AD for use with Amazon Workspaces when you have a requirement that prevents extending your existing Active Directory to AWS. You can keep disconnected directories in sync without directly tying domain controllers together via the network. This allows your users to use their same login credentials and automates user lifecycle management no matter where your Active Directory domains reside.

Manage multiple AWS Managed AD instances from a single pane of glass

With Active Roles, you can centralize management and governance of user accounts and access rights across multiple AWS Managed Active Directories, including on-premises Active Directory environments.

Consider a scenario where a large multinational organization has grown through multiple mergers and acquisitions over the years. As a result, the organization now has several AWS Managed Microsoft AD environments across their global operations, including some on-premises Active Directory environments, each with its own user accounts, groups, and administrative policies. This presents a challenge as teams struggle to manage user identities and access rights consistently across disparate AWS managed and self-managed Active Directory domains. Active Roles enables you to connect and manage all your Active Directory forests and domains from a single console. It provides a unified administration interface to help perform common tasks, such as user provisioning, group management, and access control across the entire Active Directory landscape.

You can leverage the delegated administration capability of Active Roles to grant specific permissions to regional IT team. This will allow them to manage user accounts and access rights within their respective AWS Managed AD environments, while maintaining centralized oversight and control. Active Roles provides automated workflows to handle common identity management processes, such as new employee onboarding and access request approvals. These workflows ensure consistent, policy-driven provisioning and deprovisioning of user accounts across all their Active Directories.

Another similar use case that is when Managed Service Providers (MSP) manage multiple AWS Managed AD directories for their own customers. By leveraging Active Roles integration with AWS Managed AD, MSPs can greatly simplify user lifecycle management, and fine-grained permissions from a single pane of glass with different views/permissions per customer. This integration also enables comprehensive reporting and auditing capabilities, allowing customers and MSPs to track identity-related activities, access changes, and compliance status across their entire Active Directory infrastructure all in one place.

Summary

In this blog post, we examined how the combination of AWS Managed Microsoft AD and Active Roles can enable different business cases that would have previously required lengthy migrations, non-production workload access to production domain controllers, or user account duplication requiring additional identity management overhead.

If you are faced with a similar use case, we encourage you to try One Identity Active Roles. You can find out more about the service and get One Identity Active Roles directly from the AWS Marketplace.


AWS has significantly more services, and more features within those services, than any other cloud provider, making it faster, easier, and more cost effective to move your existing applications to the cloud and build nearly anything you can imagine. Give your Microsoft applications the infrastructure they need to drive the business outcomes you want. Visit our .NET on AWS and AWS Database blogs for additional guidance and options for your Microsoft workloads. Contact us to start your migration and modernization journey today.

Rodney Underkoffler

Rodney Underkoffler

Rodney is a Senior Solutions Architect at Amazon Web Services, focused on guiding enterprise customers on their cloud journey. He has a background in infrastructure, security, and IT business practices. He is passionate about technology and enjoys building and exploring new solutions and methodologies.

Avik Bose

Avik Bose

Avik has over 14 years of experience with Active Directory, Cloud Computing and Identity and Access Management. He is currently a Senior Software Development Manager with AWS Directory Service (https://thinkwithwp.com/directoryservice/)

Jeremy Girven

Jeremy Girven

Jeremy is a solutions architect specializing in Microsoft workloads on AWS. He has over 16 years’ experience with Microsoft Active Directory and over 25 years of industry experience. One of his fun projects is using SSM to automate the Active Directory build processes in AWS. To see more, check out the Active Directory AWS Partner Solution (https://thinkwithwp.com/solutions/partners/active-directory-ds/).

Tekena Orugbani

Tekena Orugbani

Tekena is a Sr. Specialist Solutions Architect at Amazon Web Services and a technologist of over 20 years, specializing in Microsoft technologies. At AWS, Tekena is focused on helping customers architect, migrate and modernize their Microsoft workloads on the AWS Cloud. Outside work, he enjoys hanging out with his family and watching soccer.